The footprint
All Graphor production processing and storage occurs in theus-central1 Google Cloud region (Iowa, USA), with one exception: large-language-model inference is served from US AWS regions through Amazon Bedrock. There are no other production regions, no multi-region buckets, no edge caches that hold customer content, and no replication across continents.
This single-region posture is intentional. Regulated customers benefit from a residency story that fits on one line and that an auditor can verify with a single check per component.
1. Per-component residency
The table below covers every layer of the Graphor production environment that touches customer data, including derived content and operational telemetry. Anything not listed here does not process customer data.| Layer | Region | Notes |
|---|---|---|
| Authenticated application backend (REST, streaming, MCP transports) | us-central1 | Stateless. No customer data persisted on the backend instances. |
| Asynchronous ingestion workers | us-central1 | Long-running ingestion workflow — parsing, chunking, enrichment, embedding, indexing. |
| Document parsing service (GPU-accelerated) | us-central1 | Hosts the in-house parsing pipeline (OCR, partitioning, visual embedding). Runs in-house parsing models — no document content sent to an external parsing provider. |
| Primary relational database | us-central1 | Stores Account Information, Conversations, dataset metadata, API tokens, and billing-record identifiers. Automated backups + point-in-time recovery enabled (Data Retention §5). |
| Managed graph store | North American region under the managed graph provider’s footprint | Holds source nodes, document partitions, retrievable units (with embedding vectors), and per-dataset indexes. See Subprocessors §2. |
| In-memory cache + streaming fan-out | us-central1 | Ephemeral cache, streaming notifications, idempotency keys. No Customer Content persisted. |
| Internal message bus + analytics warehouse | us-central1 | Carries operational events and aggregates them into an analytics warehouse (counters and metadata only — no Customer Content). |
| Object storage — Customer documents | us-central1 (single-region; migrated from US multi-region) | Raw uploaded sources (PDFs, DOCX, audio, video, etc.). |
| Object storage — internal artifacts (model weights, public marketing assets, TLS certificate artifacts) | us-central1 (single-region) | No Customer Content. |
| Self-hosted observability store | us-central1 | Tier-aware (Enterprise default OFF, Free/Pro default ON with PII mask). See Data Retention §4. |
| Encryption keys | us-central1 | Cloud-provider-managed by default; customer-managed encryption keys available on enterprise request. See Trust Center Overview. |
2. AI model providers
AI inference is the only customer-data path that leaves Google Cloud. The provider chain (and the regions involved) is summarized below; full subprocessor characterization is in Subprocessors.| Provider | Production region(s) | Customer data sent | Retention |
|---|---|---|---|
| AWS Bedrock (serves Anthropic Claude family) | US regions only — us-east-1, us-east-2, us-west-1, us-west-2. The São Paulo region (sa-east-1) is configured as an optional failover but is not active in standard routing. | Per-request: the user’s question, retrieved chunks, conversation history, system prompt. | Per AWS Bedrock data-protection commitments — content is processed and encrypted in the AWS region selected; not retained for training; not shared with model providers. |
| OpenAI (embeddings + optional reranker) | Not pinned by basic documentation. | Per-build: chunk text for embedding. Per-request (only when reranker is enabled, which is off by default): retrieved chunks. | Zero Data Retention enrolled — abuse-monitoring logs eliminated. See Model Use and Training §4.3. |
| Cerebras (chunk enrichment + fast-tier inference) | US-based infrastructure. | Per-build: chunk text for enrichment. Per fast-tier request: user question + retrieved chunks. | Zero retention per published Privacy Policy. |
3. International transfer regime
Synapse is incorporated in Brazil and the catalyzing pilot customers are subject to LGPD; the same posture also satisfies GDPR for European customers.| Transfer leg | Legal basis | Source of contract |
|---|---|---|
| Customer → Synapse | Direct controller-to-processor relationship under the Graphor Data Processing Addendum. | Synapse–Customer DPA. |
Synapse → cloud infrastructure provider (us-central1) | LGPD art. 33 + 35 (international transfer to a country with adequate protection or under contractual safeguards). Inherited via the cloud-provider DPA, which incorporates Standard Contractual Clauses 2021/914. | Cloud-provider Data Processing Addendum (linked from Subprocessors §2). |
| Synapse → AWS Bedrock (US regions) | LGPD art. 33 + 35; AWS DPA incorporates Standard Contractual Clauses. | AWS Data Processing Addendum (linked from Subprocessors §3). |
| Synapse → OpenAI | LGPD art. 33 + 35; OpenAI DPA incorporates Standard Contractual Clauses; ZDR addendum signed. | OpenAI DPA + ZDR addendum (linked from Subprocessors §3). |
| Synapse → Cerebras | LGPD art. 33 + 35; subject to Cerebras Terms of Use and Privacy Policy commitments cited in Model Use and Training §4.4. | Cerebras Terms of Use + Privacy Policy (linked from Subprocessors §3). |
| Synapse → managed graph store provider | LGPD art. 33 + 35; provider DPA incorporates Standard Contractual Clauses. | Provider DPA (linked from Subprocessors §2). |
| Synapse → payment processor | LGPD art. 33 + 35; payment-processor DPA incorporates Standard Contractual Clauses. Payment processor handles only billing identifiers, not Customer Content. | Payment-processor DPA (linked from Subprocessors §5). |
4. Why us-central1
A single cloud region was chosen rather than a multi-region storage deployment or a cross-region active-active design for three reasons:- Auditability. A regulated customer can verify the residency claim by running a single command per layer against the cloud-provider CLI and confirming the region. A multi-region claim demands provider-level trust that data does not move between sub-regions.
- Predictable latency for the Brazilian user base.
us-central1(Iowa) is one of the lower-latency US regions for traffic originating in Brazil over public-internet routes. The latency tradeoff vs a São Paulo region is acceptable for current traffic patterns; see §5 for the Brazil-region roadmap. - Subprocessor co-location with AWS US regions. Bedrock-hosted inference returns to Graphor over public network paths; co-locating the Graphor backend with the Bedrock regions reduces round-trip variance.
us-central1 single-region was completed as part of this trust-documentation initiative. Stg is intentionally not migrated — it does not host real customer data.
5. Roadmap
Two alternative regions are on the roadmap. Neither has a committed delivery date — both unlock on customer request for the enterprise tier, subject to a cost/timeline review per customer. EU region — for GDPR-bound customers that require EU-only residency end-to-end. Tradeoffs:- Requires migrating every component in the per-layer residency table to an EU region.
- Requires switching the Bedrock region to an EU Bedrock region. Anthropic Claude availability in EU Bedrock regions varies by model; the Standard tier model would be pinned to whichever Opus version is GA in the chosen EU Bedrock region at the time of provisioning.
- OpenAI does not pin a residency region today; the EU posture would rely on the OpenAI ZDR addendum (zero retention) as the compensating control, or replace OpenAI embeddings with a self-hosted embedding model on the EU footprint.
- The managed graph store supports EU regions natively.
- The cloud infrastructure provider supports the full Graphor stack in the São Paulo region.
- AWS Bedrock is already available in
sa-east-1(São Paulo) — Anthropic Claude on Bedrock is GA in this region as of 2025. The Standard tier could be served entirely from Brazilian regions if the customer requires it; this is the lightest-lift alternative residency option. - The managed graph store does not currently offer a São Paulo region; the Brazil deployment would either accept a North-American managed instance (with the contractual residency commitment from the provider) or migrate to a self-hosted graph store on the São Paulo footprint.
- OpenAI embeddings remain non-region-pinned; same compensating control as the EU case.
6. Things that explicitly do NOT happen
Stating these explicitly removes ambiguity for security and privacy reviewers:- No cross-region replication of Customer Content. The customer-content storage is single-region; the primary relational database has no cross-region replica; backups stay within the cloud-provider region’s redundancy posture.
- No CDN caching of authenticated responses. Authenticated application responses are not cached in any edge location. Public marketing assets may be edge-cached but contain no Customer Content.
- No content sent to a multi-region or global resource by default. The legacy multi-region customer-content store has been migrated; no production component routes customer data through a multi-region resource.
- No silent regional failover. AWS Bedrock has configured failover regions (US-only) that activate on quota or availability events; the failover regions are all US. The configured São Paulo failover slot is currently disabled — a future activation will be published on the Subprocessors page before it takes effect.
7. Change history
| Version | Date | Change |
|---|---|---|
| 1.0 | 2026-06-21 | Initial publication. Documents the single-region us-central1 posture post-migration of the customer-content storage. |
Contact
- General privacy and data-residency inquiries: privacy@graphorlm.com
- Residency change notifications: subprocessors@graphorlm.com
- Customer support: support@graphorlm.com